{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,14]],"date-time":"2026-02-14T07:53:13Z","timestamp":1771055593069,"version":"3.50.1"},"reference-count":35,"publisher":"Emerald","issue":"1","license":[{"start":{"date-parts":[[2020,7,3]],"date-time":"2020-07-03T00:00:00Z","timestamp":1593734400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2022,1,31]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>By using a new feature extraction method on the Cert data set and using a hidden Markov model (HMM) to model and analyze the behavior of users to distinguish whether the behavior is normal within a continuous period.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>Feature extraction of five parts of the time series by rules and sorting in chronological order. Use the obtained features to calculate the probability parameters required by the HMM model and establish a behavior model for each user. When the user has abnormal behavior, the model will return a very low probability value to distinguish between normal and abnormal information.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>Generally, HMM parameters are obtained by supervised learning and unsupervised learning, but the hidden state cannot be clearly defined. When the hidden state is determined according to the data set, the accuracy of the model will be improved.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>This paper proposes a new feature extraction method and analysis mode, which determines the shape of the hidden state according to the situation of the data set, making subsequent HMM modeling simple and efficient and in turn improving the accuracy of user behavior detection.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-12-2019-0142","type":"journal-article","created":{"date-parts":[[2021,2,12]],"date-time":"2021-02-12T18:38:33Z","timestamp":1613155113000},"page":"19-36","source":"Crossref","is-referenced-by-count":15,"title":["An improved feature extraction algorithm for insider threat using hidden Markov model on user behavior detection"],"prefix":"10.1108","volume":"30","author":[{"given":"Xiaoyun","family":"Ye","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Myung-Mook","family":"Han","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","published-online":{"date-parts":[[2020,7,3]]},"reference":[{"key":"key2022012710483858400_ref001","first-page":"4352","article-title":"Study on the applications of hidden Markov models to computer intrusion detection","volume-title":"Proceedings of the 5th World Congress on Intelligent Control and Automation (IEEE Cat. No. 04EX788)","year":"2004"},{"key":"key2022012710483858400_ref002","first-page":"7","volume-title":"Applied Probability and Queues","year":"2008"},{"issue":"1","key":"key2022012710483858400_ref003","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1049\/iet-cps.2017.0010","article-title":"Enabling cyber-physical communication in 5G cellular networks: challenges, spatial spectrum sensing, and cyber-security","volume":"2","year":"2017","journal-title":"IET Cyber-Physical Systems: Theory and Applications"},{"key":"key2022012710483858400_ref004","doi-asserted-by":"crossref","first-page":"73603","DOI":"10.1109\/ACCESS.2018.2878681","article-title":"Big data meet cyber-physical systems: a panoramic survey","volume":"6","year":"2018","journal-title":"IEEE Access"},{"key":"key2022012710483858400_ref005","first-page":"1","article-title":"An inequality and associated maximization technique in statistical estimation of probabilistic functions of a Markov process","volume":"3","year":"1972","journal-title":"Inequalities"},{"issue":"3","key":"key2022012710483858400_ref006","doi-asserted-by":"crossref","first-page":"360","DOI":"10.1090\/S0002-9904-1967-11751-8","article-title":"An inequality with applications to statistical estimation for probabilistic functions of Markov processes and to a model for ecology","volume":"73","year":"1967","journal-title":"Bulletin of the American Mathematical Society"},{"issue":"6","key":"key2022012710483858400_ref007","doi-asserted-by":"crossref","first-page":"1554","DOI":"10.1214\/aoms\/1177699147","article-title":"Statistical inference for probabilistic functions of finite state Markov chains","volume":"37","year":"1966","journal-title":"The Annals of Mathematical Statistics"},{"issue":"2","key":"key2022012710483858400_ref008","doi-asserted-by":"crossref","first-page":"211","DOI":"10.2140\/pjm.1968.27.211","article-title":"Growth transformations for functions on manifolds","volume":"27","year":"1968","journal-title":"Pacific Journal of Mathematics"},{"issue":"1","key":"key2022012710483858400_ref009","doi-asserted-by":"crossref","first-page":"164","DOI":"10.1214\/aoms\/1177697196","article-title":"A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains","volume":"41","year":"1970","journal-title":"The Annals of Mathematical Statistics"},{"issue":"1","key":"key2022012710483858400_ref010","article-title":"Dempster-Shafer fusion of multisensor signals in nonstationary Markovian context","volume":"2012","year":"2012","journal-title":"EURASIP Journal on Advances in Signal Processing"},{"issue":"2","key":"key2022012710483858400_ref011","first-page":"269","article-title":"Detecting homogeneous segments in DNA sequences by using hidden Markov models","volume":"49","year":"2000","journal-title":"Journal of the Royal Statistical Society: Series C (Applied Statistics))"},{"key":"key2022012710483858400_ref012","volume-title":"Hidden Markov Models: Applications in Computer Vision","year":"2001"},{"key":"key2022012710483858400_ref013","article-title":"CERT insider threat data set","author":"CERT","year":"2020"},{"key":"key2022012710483858400_ref014","first-page":"45","volume-title":"Multi-Domain Information Fusion for Insider Threat Detection","year":"2013"},{"key":"key2022012710483858400_ref015","article-title":"The Viterbi algorithm: a personal history","volume-title":"Viterbi Conference, March 8, 2005","year":"2005"},{"key":"key2022012710483858400_ref016","first-page":"2638","article-title":"Graph based framework for malicious insider threat detection","volume-title":"Proceedings of the 50th HI International Conference on System Sciences","year":"2017"},{"issue":"1","key":"key2022012710483858400_ref017","doi-asserted-by":"crossref","first-page":"9","DOI":"10.1142\/S0218001401000836","article-title":"An introduction to hidden Markov models and Bayesian networks","volume":"15","year":"2001","journal-title":"International Journal of Pattern Recognition and Artificial Intelligence"},{"key":"key2022012710483858400_ref018","volume-title":"Hidden Markov Models for Speech Recognition","year":"1990"},{"key":"key2022012710483858400_ref019","first-page":"29","volume-title":"A First Course in Stochastic Processes","year":"2014"},{"key":"key2022012710483858400_ref020","first-page":"40","article-title":"A* parsing: fast exact Viterbi parse selection","volume-title":"Proceedings of the 2003 Conference of the North American Chapter of the Association for Computational Linguistics on Human Language Technology, May 27, 2003","year":"2003"},{"key":"key2022012710483858400_ref021","first-page":"106","volume-title":"Stochastic Processes: A Survey of the Mathematical Theory","year":"2012"},{"issue":"8","key":"key2022012710483858400_ref022","doi-asserted-by":"crossref","first-page":"3091","DOI":"10.1109\/TSP.2005.851131","article-title":"Unsupervised restoration of hidden nonstationary Markov chain using evidential priors","volume":"53","year":"2005","journal-title":"IEEE Transactions on Signal Processing"},{"key":"key2022012710483858400_ref023","first-page":"188","volume-title":"Stochastic Processes","year":"1999"},{"issue":"1","key":"key2022012710483858400_ref024","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.ijar.2006.05.001","article-title":"Multisensor triplet Markov chains and theory of evidence","volume":"45","year":"2007","journal-title":"International Journal of Approximate Reasoning"},{"key":"key2022012710483858400_ref025","first-page":"58","volume-title":"Markov Random Fields","year":"1982"},{"issue":"2","key":"key2022012710483858400_ref026","doi-asserted-by":"crossref","first-page":"172","DOI":"10.1109\/14.212242","article-title":"Use of hidden Markov models for partial discharge pattern classification","volume":"28","year":"1993","journal-title":"IEEE Transactions on Electrical Insulation"},{"key":"key2022012710483858400_ref027","article-title":"Efficient parsing of highly ambiguous context-free grammars with bit vectors","volume-title":"Proceedings of the 20th international conference on Computational Linguistics, August 23-27, 2004, Article No. 162","year":"2004"},{"key":"key2022012710483858400_ref028","first-page":"2","volume-title":"Basics of Applied Stochastic Processes","year":"2009"},{"key":"key2022012710483858400_ref029","first-page":"174","volume-title":"Stochastic Processes","year":"1996"},{"issue":"1","key":"key2022012710483858400_ref030","doi-asserted-by":"crossref","first-page":"315","DOI":"10.1016\/j.eswa.2012.07.057","article-title":"Advanced probabilistic approach for network intrusion forecasting and detection","volume":"40","year":"2013","journal-title":"Expert Systems with Applications"},{"key":"key2022012710483858400_ref031","doi-asserted-by":"crossref","first-page":"435","DOI":"10.1093\/nar\/gkl200","article-title":"AUGUSTUS: Ab initio prediction of alternative transcripts","volume":"34","year":"2006","journal-title":"Nucleic Acids Research"},{"issue":"2","key":"key2022012710483858400_ref032","doi-asserted-by":"crossref","first-page":"156","DOI":"10.1137\/1105015","article-title":"Conditional Markov processes","volume":"5","year":"1960","journal-title":"Theory of Probability and Its Applications"},{"key":"key2022012710483858400_ref033","article-title":"Text mining using HMM and PMM","year":"2001"},{"key":"key2022012710483858400_ref034","article-title":"Modeling form for online following of musical performances","volume-title":"Proceedings of the National Conference on Artificial Intelligence, July 9-13","year":"2005"},{"key":"key2022012710483858400_ref035","first-page":"227","article-title":"Real-Time American sign language visual recognition from video using HMMs","volume-title":"Motion-Based Recognition","year":"1997"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2019-0142\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-12-2019-0142\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:27Z","timestamp":1753406607000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/30\/1\/19-36\/104723"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,7,3]]},"references-count":35,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2020,7,3]]},"published-print":{"date-parts":[[2022,1,31]]}},"alternative-id":["10.1108\/ICS-12-2019-0142"],"URL":"https:\/\/doi.org\/10.1108\/ics-12-2019-0142","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2020,7,3]]}}}